Incident response is often an afterthought and responsibilities are often unclear.
Speaking to IT Security Guru, Christian Toon, head of information risk at Iron Mountain, said that with a quite significant technical data breach, it is often not clear where the responsibility lies.
He said: “There is a gap between intent and action, so organisations know they need to do something but they are not following it through; everyone is struggling regardless of size. This is a wake-up call for industry, as we can protect and know we need to, but how do you do things smarter as a business and unlock value to get something from it so can be used?”
A recent survey of 1,800 mid and enterprise-sized businesses across Europe and North America by Iron Mountain and PwC found that 60 per cent of European respondents believe that responsibility lies with IT.
Toon said: “Often it is an afterthought to tell people, so you do begin to wonder that with a quite significant technical data breach, where does the responsibility lie? Organisations still say the responsibility sits with IT, but name me one CISO who has a good relationship with marketing. In an incident fallout who do they call to say “put this on the social media channel”. They just need to wake up and start to get more people involved.
“Everyone is really struggling to get a handle on this and make sure we know where accountability sits, as too often it is sat with IT.”
Asked if this was a case for IT and marketing to build a better relationship, TK Keanini, CTO of incident response vendor Lancope, said that information management and the general security of the business is the business’s problem.
He said: “The organisational charts have broken responsibility and roles apart in the organisation, but information and the security of that information passes through the entire business and so leaders are faced with putting humpty dumpty back together again and creating a system-wide strategy for these objectives.
“These trends are not surprising when you consider how we as individuals handle the prioritisation of data backup and security,” he said. “Human behaviour is similar at the individual and enterprise level, we are driven by threats and consequences we have experienced. Until then, countermeasures and defenses are delayed and deprioritised. Reports like this help business make it more of a priority, but unfortunately only a few heed the warnings.”
Claire Reid, PwC Risk Assurance partner, said: “Too many companies believe they understand the risks and value of information, but are frustratingly passive about doing anything about it. Your information may be the greatest business asset you have. Your customers have entrusted you with their most personal data – you cannot afford to allow information risk management to be a mere tick-box exercise.”